I have 3 interface, 2 in high availability with 2 router and 1 for local net I have configured shorewall in bridge mode but I can''t define some zones. I need limit access from internet (rcja here), but allow from some subnet (hvn serja) I use the file /etc/shorewall/hosts # Shorewall 2.2 - /etc/shorewall/hosts # .... .... #ZONE HOST(S) OPTIONS nave br0:eth0 #rcja br0:eth1 #rcja br0:eth2 hvn br0:eth1:10.104.24.53 hvn br0:eth1:10.104.24.0/21 hvn br0:eth2:10.104.24.0/21 sercja br0:eth1:10.234.0.0/16 sercja br0:eth2:10.234.0.0/16 #rcja br0:eth1 #rcja br0:eth2 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE II have defined the next policy: # # Shorewall 2.2 -- Policy File # # /etc/shorewall/policy # .... .... fw all ACCEPT nave hvn ACCEPT hvn nave ACCEPT nave serja ACCEPT serja nave ACCEPT hvn fw REJECT all all REJECT #LAST LINE -- DO NOT REMOVE I''m working in hvn zone so I have the next rule (in /etc/shorewall/rules file) in order to get access to the firewall: ACCEPT hvn fw tcp 10000 The problem is that if I comment out rcja zone in hosts file the rule don''t work, it apply the policy all2all, if I left comment the zone rcja it work, but when I check shorewall it give me the next warning: Determining Hosts in Zones... Warning: Zone rcja is empty nave Zone: br0:eth0 hvn Zone: br0:eth1:10.104.24.53 br0:eth1:10.104.24.0/21 br0:eth2:10.104.24.0/21 serja Zone: br0:eth1:10.234.0.0/16 br0:eth2:10.234.0.0/16 And I have the doubt if it is working fine or not and I''m not sure if it is filtering access to all equipment hows came from eth1 or eth2 but don''t belong to hvn or serja. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Antonio Trujillo Carmona wrote:> > I''m working in hvn zone so I have the next rule (in /etc/shorewall/rules > file) in order to get access to the firewall: > ACCEPT hvn fw tcp 10000 > The problem is that if I comment out rcja zone in hosts file the rule > don''t work, it apply the policy all2all, if I left comment the zone rcja > it work, but when I check shorewall it give me the next warning: > Determining Hosts in Zones... > Warning: Zone rcja is empty > nave Zone: br0:eth0 > hvn Zone: br0:eth1:10.104.24.53 br0:eth1:10.104.24.0/21 > br0:eth2:10.104.24.0/21 > serja Zone: br0:eth1:10.234.0.0/16 br0:eth2:10.234.0.0/1 > And I have the doubt if it is working fine or not and I''m not sure if it > is filtering access to all equipment hows came from eth1 or eth2 but > don''t belong to hvn or serja.Define the ''rcja'' zone LAST in /etc/shorewall/zones. The other zones (except for loc) appear to be sub-zones of ''rcja'' and hence must be declared first. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
El dom, 30-04-2006 a las 14:59 -0700, Tom Eastep escribió:> Define the ''rcja'' zone LAST in /etc/shorewall/zones. The other zones > (except for loc) appear to be sub-zones of ''rcja'' and hence must be > declared first. > > -TomThank you , I do it before ask you due to I think that it will be read form first to last but it don''t work event if I add: rcja br0:eth1:0.0.0.0/0 rcja br0:eth2:0.0.0.0/0 is the same it don''t work so I comment it like you can see is comment in the beginning and in the last due to different test # Shorewall 2.2 - /etc/shorewall/hosts # .... .... #ZONE HOST(S) OPTIONS nave br0:eth0 #rcja br0:eth1 #rcja br0:eth2 hvn br0:eth1:10.104.24.53 hvn br0:eth1:10.104.24.0/21 hvn br0:eth2:10.104.24.0/21 sercja br0:eth1:10.234.0.0/16 sercja br0:eth2:10.234.0.0/16 #rcja br0:eth1 #rcja br0:eth2 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE -- Antonio Trujillo Carmona <trujo@dti2.net> ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Antonio Trujillo Carmona wrote:> El dom, 30-04-2006 a las 14:59 -0700, Tom Eastep escribió: > >> Define the ''rcja'' zone LAST in /etc/shorewall/zones. The other zones >> (except for loc) appear to be sub-zones of ''rcja'' and hence must be >> declared first. >> >> -Tom > Thank you , I do it before ask you due to I think that it will be read > form first to last but it don''t work event if I add: > rcja br0:eth1:0.0.0.0/0 > rcja br0:eth2:0.0.0.0/0I SAID THE *ZONES* FILE, NOT THE HOSTS FILE!!!!!!!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
El dom, 30-04-2006 a las 15:43 -0700, Tom Eastep escribió:> Antonio Trujillo Carmona wrote: > > El dom, 30-04-2006 a las 14:59 -0700, Tom Eastep escribió: > > > >> Define the ''rcja'' zone LAST in /etc/shorewall/zones. The other zones > >> (except for loc) appear to be sub-zones of ''rcja'' and hence must be > >> declared first. > >> > >> -Tom > > Thank you , I do it before ask you due to I think that it will be read > > form first to last but it don''t work event if I add: > > rcja br0:eth1:0.0.0.0/0 > > rcja br0:eth2:0.0.0.0/0 > > I SAID THE *ZONES* FILE, NOT THE HOSTS FILE!!!!!!!!! > > -TomSorry and too munch thank. I''m going to probe it on Tuesday. -- Antonio Trujillo Carmona <trujo@dti2.net> ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Antonio Trujillo Carmona wrote:> El dom, 30-04-2006 a las 15:43 -0700, Tom Eastep escribió: >> Antonio Trujillo Carmona wrote: >>> El dom, 30-04-2006 a las 14:59 -0700, Tom Eastep escribió: >>> >>>> Define the ''rcja'' zone LAST in /etc/shorewall/zones. The other zones >>>> (except for loc) appear to be sub-zones of ''rcja'' and hence must be >>>> declared first. >>>> >>>> -Tom >>> Thank you , I do it before ask you due to I think that it will be read >>> form first to last but it don''t work event if I add: >>> rcja br0:eth1:0.0.0.0/0 >>> rcja br0:eth2:0.0.0.0/0 >> I SAID THE *ZONES* FILE, NOT THE HOSTS FILE!!!!!!!!! >> >> -Tom > Sorry and too munch thank. > I''m going to probe it on Tuesday. >Good luck... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key